The link in the email goes to a legitimate hacked site and then one to three scripts as follows:[donotclick]ekaterini.mainsys.gr/overspreading/hermaphrodite.js[donotclick]sisgroup.co.uk/despairs/marveled.js[donotclick]psik.aplus.pl/christian/pickford.js

After that, the victim is directed to the malware landing page at [donotclick]capitalagreements.com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.

The attack is fundamentally the same as this American Express themed malspam run described here.